forked from AkkomaGang/akkoma
/notice signing checks on redirect (#150)
Reviewed-on: AkkomaGang/akkoma#150
This commit is contained in:
parent
3b973d0627
commit
ec162b496b
2 changed files with 47 additions and 11 deletions
|
@ -5,6 +5,8 @@
|
|||
defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
|
||||
import Plug.Conn
|
||||
import Phoenix.Controller, only: [get_format: 1, text: 2]
|
||||
alias Pleroma.Activity
|
||||
alias Pleroma.Web.Router
|
||||
require Logger
|
||||
|
||||
def init(options) do
|
||||
|
@ -25,11 +27,25 @@ def call(conn, _opts) do
|
|||
end
|
||||
end
|
||||
|
||||
defp maybe_assign_valid_signature(conn) do
|
||||
if has_signature_header?(conn) do
|
||||
# set (request-target) header to the appropriate value
|
||||
# we also replace the digest header with the one we computed
|
||||
request_target = String.downcase("#{conn.method}") <> " #{conn.request_path}"
|
||||
def route_aliases(%{path_info: ["objects", id]} = conn) do
|
||||
ap_id = Router.Helpers.o_status_url(Pleroma.Web.Endpoint, :object, id)
|
||||
|
||||
with %Activity{} = activity <- Activity.get_by_object_ap_id_with_object(ap_id) do
|
||||
["/notice/#{activity.id}"]
|
||||
else
|
||||
_ -> []
|
||||
end
|
||||
end
|
||||
|
||||
def route_aliases(_), do: []
|
||||
|
||||
defp assign_valid_signature_on_route_aliases(conn, []), do: conn
|
||||
|
||||
defp assign_valid_signature_on_route_aliases(%{assigns: %{valid_signature: true}} = conn, _),
|
||||
do: conn
|
||||
|
||||
defp assign_valid_signature_on_route_aliases(conn, [path | rest]) do
|
||||
request_target = String.downcase("#{conn.method}") <> " #{path}"
|
||||
|
||||
conn =
|
||||
conn
|
||||
|
@ -39,7 +55,17 @@ defp maybe_assign_valid_signature(conn) do
|
|||
conn -> conn
|
||||
end
|
||||
|
||||
assign(conn, :valid_signature, HTTPSignatures.validate_conn(conn))
|
||||
conn
|
||||
|> assign(:valid_signature, HTTPSignatures.validate_conn(conn))
|
||||
|> assign_valid_signature_on_route_aliases(rest)
|
||||
end
|
||||
|
||||
defp maybe_assign_valid_signature(conn) do
|
||||
if has_signature_header?(conn) do
|
||||
# set (request-target) header to the appropriate value
|
||||
# we also replace the digest header with the one we computed
|
||||
possible_paths = route_aliases(conn) ++ [conn.request_path]
|
||||
assign_valid_signature_on_route_aliases(conn, possible_paths)
|
||||
else
|
||||
Logger.debug("No signature header!")
|
||||
conn
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
|
||||
defmodule Pleroma.Web.Plugs.HTTPSignaturePlugTest do
|
||||
use Pleroma.Web.ConnCase
|
||||
import Pleroma.Factory
|
||||
alias Pleroma.Web.Plugs.HTTPSignaturePlug
|
||||
|
||||
import Plug.Conn
|
||||
|
@ -81,5 +82,14 @@ test "halts the connection when `signature` header is not present", %{conn: conn
|
|||
assert conn.state == :sent
|
||||
assert conn.resp_body == "Request not signed"
|
||||
end
|
||||
|
||||
test "aliases redirected /object endpoints", _ do
|
||||
obj = insert(:note)
|
||||
act = insert(:note_activity, note: obj)
|
||||
params = %{"actor" => "http://mastodon.example.org/users/admin"}
|
||||
path = URI.parse(obj.data["id"]).path
|
||||
conn = build_conn(:get, path, params)
|
||||
assert ["/notice/#{act.id}"] == HTTPSignaturePlug.route_aliases(conn)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue